Administration: Secure cookies

PREREQUISITES: You must have installed SSL on your site and you must have configured all backend pages to require SSL.
For more information, see Administration: Configure SSL.

The .AspNet.Cookies is the cookie of the relaying party. The cookie of the STS depends on the protocol you use. It is one of the following:

• idsrv
  For OpenID Connect
• .ASPXAUTH
  For WRAP/SWT.

Relying party 

To configure the security of the Relying party .AspNet.Cookies cookie, perform the following:

1. Navigate to Administration » Settings » Advanced.
2. In the left pane, expand Authentication and click RelyingParty.
3. In the Authentication cookie security dropdown box, select one of the following:
   • SameAsRequest
     This is the default value. This way, the cookie is automatically secured, if the site is under SSL.
   • Always
     The cookie is always secured and must be served under HTTPS.
   • Never
     The cookie is not secured.
4. Save your changes.

STS (OpenID Connect)

In OpenId Connect, the Security Token Service cookie idsrv is always configured as SameAsRequest.

STS (WRAT/SWT)

To secure the STS cookie in WRAP/SWT, perform the following: 

1. Open the web.config file of the STS webapp. 
2. Inside section <system.web>, find <authentication mode="None" /> and replace it with the following:
3. Save and close the web.config and restart the application.
   The .ASPXAUTH cookie is secured.
4. Run your project and clear all browser cookies. 

The .SFAUTH is the cookie connected to Forms authentication. 
To secure the .SFAUTH cookie, perform the following: 

1. In Sitefinity CMS backend, click Administration » Settings » Advanced » Security.  
2. Select AuthCookieRequireSsl checkbox. 
3. Restart the application. 
4. Run your project and clear all browser cookies.